Executive Summary

Today’s business and government organizations depend on software applications to conduct their operations. The need to exchange information with customers, partners and suppliers further requires these applications to increasingly open up to the outside world – bypassing firewalls and other traditional network security designed to protect them and the valuable data they contain. These “open”, and largely “web enabled” applications are subject to greater and greater levels and types of attacks as hackers exploit vulnerabilities within the software.

Although there are numerous reports covering viruses, network-based attacks, public vulnerability announcements, and Spam/Phishing schemes, there is little empirical data on the attacks that specifically target web applications. This report aims to shed light on how applications are being attacked.

Over the past six months, Fortify Software gathered data via its Fortify Defender product from numerous, Internet-facing sources. Data for this report was collected from live sites that use Fortify Defender for the expressed purpose of highlighting key findings and trends on real-world attack patterns.

From this data, Fortify expert analysis identified four top trends that can serve to inform decisions around application security strategies:

Key Trends

1. Bot Storming – The Most Common Web Attack Method

On average, 50%-70% of attacks experienced by web applications come from bots and bot networks searching for known vulnerabilities. These automated “probes” seek out unprotected or unpatched components in applications and deliver their malicious code upon success. The effect is much like a storm raging over a landscape – the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit web applications.

Over a sample single week period, our monitored applications were bombarded by:

• Seven (7) distinct attacks from separate IP addresses that resulted in 52 attempts to access .php files. Given the attacks’ frequency and content, they most likely originated from machines infected by worms that periodically launched these automated attacks. For example, one of the attacks was characterized by a 13 second sequence of 12 probes from IP 202.69.164.91 (APNIC WHOIS lists the owner as ComClark Network & Technology Corp. in Pampanga – a province of the Phillipines). The distinct URLA requested contain:
  
  /webcalendar/tools/send_reminders.php
  /webcalendar/send_reminders.php
  /modules/PNphpBB2/includes/functions_admin.phpfunctions_admin.php
  /modules/PNphpBB2/includes/functions_admin.php
  /modules/includes/functions_admin.php
  /phpBB2/admin_styles.php
  And many other similar probes into areas of known vulnerabilities.
  
• Attacks originated from a broad geography:
  
  Phillipines, Poland, Hungary, Canada and US. The largest number of attacks came from inside the United States.
  

Probes of this type can be negligible or catastrophic, depending on the way the web application is built. For example, the web applications monitored with Fortify Applications Defense are primarily Java/J2EE-based and consequently, do not suffer from PHP-based attacks. However, probes into other infrastructures can be the forerunner to worm-based and even directed attack problems.

2. The Rise of “Google Hacking”

Search engines like Google collect a wealth of information about every web site they index. If a web site inadvertently reveals sensitive information or advertises the presence of a vulnerability, then Google’s index of the site will contain evidence of the flaw. For example, a web application may report diagnostic information such as a stack trace if a page is broken. Hackers can use the information to map out the components and internal structure of the application. The stack trace may also reveal the brands and versions of the different components involved.

The Web applications in our sample contained a surprising number of these types of flaws – 20-30% of all security events in our monitoring pool were due to these errors. Fortify classifies security vulnerabilities of this type under categories such as privacy violations, information leakage and unhandled exceptions. Often, it is the fact that the web application continued to log data for debugging purposes or exposed stack trace information upon failure of some type. The “fix” for these errors is typically an engineering change to the application – either a reconfiguration or a code modification. In other words, these openings are classic “bugs” in the application code – with the potential impact magnified by this growing hacker technique.

3. Directed Attacks – The Most Dangerous Web Application Attack Method

Directed attacks are security events that target a specific web site. Unlike with worms, there is a human directly behind this type of attack – even if that human is using an automated mechanism, the intent is still directed at a particular target. These attacks are less frequent, but are much more sophisticated and dangerous to the application under attack. The favorite techniques appear to be cross-site scripting, SQL injection and buffer overflow attacks.

Examples of directed attacks over a four week period in our web application base include:

• On Friday, April 21, beginning at 1:00am PST, 3125 security events were generated from Vietnam Posts and Telecommunications. The attacker used 5 alternating IPs during the attack. The attack uses a commercial PEN tester: Acunetix Web Vulnerability Scanner (Fortify Defender can recognize signatures for root kits and automated penetration testing tools). Majority of the attacks are Probing events of the form: logs.html, test.html, tmp/, CVS/Root, database.inc, admin/, pw/, bak/, passwd, readme.txt, root/, admin.db, private/ etc... 194 events were Cross Site Scripting attacks. Example attack strings:
  
  <script>
     alert('wvs-xss-magic-string-1346220347');
  </script>
  
  <script>
     var wvs_xss_test_variable=1990206184;alert(wvs_xss_test_variable);
  </script>
  
  
• On Tuesday, March 14, at 10:36am PST, the IP address 80.6.65.126 changed a cookie value in a decoy. Fortify Defender had inserted a decoy identifier, account#, into the web application cookie for the sole purpose of detecting tampering of values. This attack’s sole purpose was an attempt to access data other than what the user was authenticated for. In other words, there is no room for doubt that this was a directed attack.
• On Monday, April 10, at 1:24am PST, a Chinese-based attack attempted to manually perform a cross-site scripting attack using the tag. It appears the attempt was meant to deface the web application by injecting advertising messages into the links.

4. The Global and Invisible Nature of Web Application Attackers

Attack origins are not confined to particular localities or geographic regions. In a three month period, security events were generated from:

• USA (top origin)
• China
• Poland
• Australia
• Vietnam
• Hungary
• Canada
• Netherlands
• And many others.

An important note is that there are various techniques that an attacker can use to cover their tracks on the Internet. One way is to hide behind a proxy server or a chain of proxy servers.

For normal Internet use, when a connection is made from one computer on the internet to another (for example, a laptop in a cafe in Prague to the computer hosting the CIA’s World Factbook website), each computer must supply its Internet Protocol (IP) address to the other so that data can be transmitted between them. To avoid duplications that would result in communication conflicts, blocks of IP addresses are strictly allocated to various Internet Service Providers around the world. So in theory, if you know a computer’s IP address you may be able to figure out where that machine is physically located – a particular country, a region of a country, a city and sometimes you’ll even be able to deduce a physical street address.

Various “anonymizing” technologies have been developed, however, to make it difficult to determine the origin of an Internet connection. In the best cases, they prevent repressive governments from punishing political opponents. In the worst cases, these technologies can be used by malicious hackers to attack other computers with little chance of being physically captured.

One such recent addition to this mix is Anonym.OS, a specialized variant of the free BSD unix operating system that transparently encrypts and anonymizes traffic sent from a particular computer on the Internet. “Through this process, a host machine can be introduced to an arbitrary network (hotel broadband, WiFi hotspot, client network, etc.) without leaving any discernible fingerprints or telltale footprints.” [http://kaos.to./ ’Building an Anonym.OS’] Part of what makes this work is a series of anonymizing proxies installed at various locations around the world that act as intermediaries whose sole purpose is to obfuscate the origin of the Internet connection (e.g. the hacker’s computer). For example, when browsing the web from a machine running Anonym.OS, a user sitting in Palo Alto, California may appear to the destination web site as if they are physically located somewhere in Amsterdam. This is because the IP address supplied to the destination web site is that of the proxy server which may be connected to the internet via an ISP in the Netherlands. The proxy server then reroutes traffic either to another proxy server (and so on) or to the originating connection.

Conclusions

From the “storm” created by bot networks attempting to exploit known vulnerabilities to directed attacks that try to manipulate specific sites, web applications are being bombarded by attacks. This and future reports highlight key trends and findings so that organizations can better mitigate risks to their organization caused by exposed and vulnerable web applications.

Data for this report was collected from “live” sites that use Fortify Defender who agreed to share their data for the expressed purpose of highlighting key findings and trends on real-world attack patterns.

Additional Background

As network routers, firewalls, and operating systems become more mature, web applications have become one of the most popular attack vectors. Consequently, application security has been identified as one of the most important battlefields against identity and asset theft, malicious use and system uptime and integrity.

Web applications are technologies that rely on a browser for their user interface and are often hosted on Web servers. They are a convenient way for users to share, create, or modify content through a Web browser. Web application vulnerabilities are particularly worrisome because they can expose information publicly over the Internet. They may allow an attacker to access confidential information from databases without having to compromise any servers. They may also allow an attacker to circumvent traditional perimeter security measures, such as firewalls, and are particularly dangerous because they could allow an attacker to compromise an entire network by gaining access through a single local system.

Typically, Web application vulnerabilities are targeted by attacks that take advantage of input validation errors and the improper handling of submitted requests. This could allow an attacker to execute malicious code on the target system, retrieve private information, deny service from the application or deface the web interface. For instance, a worm targeting a Web application was detected in December 2004. Dubbed Perl.Santy,4 it targeted the popular Web application phpBB.

There are numerous reports and data sources covering viruses, network-based attacks, public vulnerability announcements, and Spam/Phishing schemes to help characterize a portion of threats made possible via the Internet. These include the Symantec Internet Security Threat Report, US-CERT, SANS Internet Storm Center, and many others. Even with this heavy – and sometimes self-serving – emphasis on traditional network security threats, these sources expose a trend toward web application attacks. For example, in the latest Symantec Internet Security Threat Report (Volume IX, July 05 – Dec 05), it is reported: “of the vulnerabilities disclosed between July and December 2005, 69% were associated with Web applications. This represents a 15% increase over the first half of 2005 when they made up 60% of all vulnerabilities. In the second half of 2004 they accounted for 49% of all vulnerabilities.” The report goes on to state that this increase in web application vulnerabilities has led to an increase in automated and directed attacks against web applications from hackers and malicious users.